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Abstract 

The constraints of lightweight distributed computing environments 
such as wireless sensor networks lend themselves to the use of sym- 
metric cryptography to provide security services. The lack of central 
infrastructure after deployment of such networks requires the neces- 
sary symmetric keys to be predistributed to participating nodes. The 
rich mathematical structure of combinatorial designs has resulted in 
the proposal of several key predistribution schemes for wireless sensor 
networks based on designs. We review and examine the appropriate- 
ness of combinatorial designs as a tool for building key predistribution 
schemes suitable for such environments. 

1 Introduction 

The management of cryptographic keys in any information system is one of 
the most challenging aspects of implementing cryptography. One of the most 
important key management processes is key establishment, which governs the 
placement of cryptographic keys in a network. This is especially relevant 
in applications of symmetric cryptography, where it is necessary to ensure 
that all parties who are authorised to access (or verify) a cryptographically 
protected piece of information have the appropriate key. 

Symmetric key establishment almost always involves a trusted third 
party, which we will term a key management authority (KMA), at some 
stage in the process. In some environments this KMA is online and avail- 
able at time of use. In such cases the third party is often referred to as 
a key distribution centre. However in many other environments it is not 



possible for a KMA to form part of a live network and assist in online key 
establishment. In this case the KMA can only be involved in initialisation 
processes that take place prior to deployment of the network. At this stage 
the KMA must equip each node in the network with the necessary crypto- 
graphic keys for facilitating security services after the nodes are deployed in 
the network. Key establishment schemes of this type are usually referred to 
as key predistribution schemes (KPSs) because the keys are distributed in 
advance and cannot be generated "on the fly". 

A major current trend in computing technologies is a shift from cen- 
tralised, relatively stable, wired networks consisting of powerful devices, to 
distributed, dynamic (ad hoc), wireless networks consisting of lightweight 
devices. This is being driven by the development of very small wireless 
computers, which can either be deployed on their own or embedded into 
everyday objects. The resulting ubiquitous networks have several impor- 
tant characteristics that typically include the need to conduct basic network 
services such as routing using the network nodes themselves (rather than 
via a centralised infrastructure), high unavailability rates of nodes, and the 
need for highly efficient network protocols due to the power and energy con- 
straints of the nodes. Prom the perspective of providing security services, 
these characteristics lend themselves to the use of symmetric cryptography 
and to key predistribution for key establishment. 

Wireless sensor networks are just one class of emerging technologies of 
this type. While we will frame our discussion around wireless sensor net- 
works, which is the context for almost all of the related research, it is worth 
noting that many of the schemes we discuss may be equally applicable to 
other technologies with similar characteristics to wireless sensor networks. 

Combinatorial structures are natural objects on which to model many 
aspects of symmetric key management. For a survey of their contributions 
to key establishment, see [19J. In this paper we will focus only on key pre- 
distribution, and on the application of combinatorial designs in particular. 

The paper is organised as follows. In Sect. [2] we discuss wireless sensor 
networks, outlining aspects which are of relevance to key predistribution. In 
Sect. [3] we provide a brief background to combinatorial designs. In Sect. H] 
we outline a basic model for a KPS and discuss fundamental schemes. In 
the remaining sections we look at different applications of designs to key 
predistribution. In Sect. [5] we discuss direct application of designs as KPSs. 
In Sect.[6]we look at the use of designs as building blocks for KPSs. Finally in 
Sect. [7] we focus on KPSs for special networking environments. Throughout 
the discussion we will consider the extent to which combinatorial designs 
are genuinely useful for building KPSs for wireless sensor networks. 
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2 Wireless Sensor Networks 



A wireless sensor network (WSN) is an ad hoc network formed from a collec- 
tion of low-powered sensor nodes that gather data and use wireless commu- 
nication to transmit the information that they collect. The number of nodes 
can vary between dozens to thousands, depending on the application [26] . 
WSNs are best suited to applications where some form of environmental 
monitoring is required, but where the scale and hostility of the environment 
does not lend itself to the deployment of a few expensive monitoring devices 
(such as humans). Examples include seismic data gathering, remote habi- 
tat monitoring, gathering of ecological data, forestry welfare, agriculture, 
disaster relief operations and military intelligence gathering \22\ [H [2] . The 
typical characteristics of a WSN are: 

• Highly constrained nodes. The nodes are very small battery-powered 
devices and are highly constrained with respect to memory storage 
and power. They are thus limited in their computational and commu- 
nication ability. 

• Lack of central control. Once deployed, most WSNs do not feature any 
central control node. Thus all network functionality must be achieved 
through co-operation between the nodes. 

• Requirement to form a network to a sink. In most WSNs the assump- 
tion is that the sensor nodes will take readings and then attempt to 
communicate this data back to a sink, which is a more powerful de- 
vice that will periodically connect to the WSN and request data. The 
location of this sink in the network is typically not fixed (it could, for 
example, be a portable laptop). 

• Hop-based communication. Most WSNs use radio communication to 
connect between nodes. The constrained nature of the nodes means 
that in most cases the communication range of a node will be much 
smaller than the network diameter. Thus nodes communicate by hop- 
ping, meaning that a node passes data to a node within range, who 
then passes it onto a node within its range, etc. 

• Dynamic network structure. It is generally assumed that WSNs are 
highly dynamic. Nodes are often assumed to regularly "sleep" to con- 
serve battery power. Nodes expire once their battery is drained. In 
some WSNs the nodes are mobile, although in most current applica- 
tions they are static. 
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• Nodes vulnerable to compromise. The constrained nature of sensor 
nodes mean that strong security protection such as tamper-resistance 
is usually not viable. Thus it is normally assumed that sensor nodes 
can be fairly easily captured and that any sensitive information (such 
as keys) that is stored on them is likely to be exposed. 

We will make three restrictions on the type of WSN that we consider for 
most of this paper: 

1. Homogeneous nodes. We will assume that all nodes have the same 
capabilities and constraints. 

2. Communication structure. We will assume that the main aim of any 
communication in the WSN is to send data from a node to the sink. 
We will thus not be attempting to set up fully connected subnetworks 
or establish group keys. 

3. No mobility. We will assume (for simplicity) that nodes are not mobile 
after deployment. In fact many of the solutions discussed here are also 
appropriate for mobile nodes. 

An important issue that affects KPS design is that WSNs vary in the extent 
to which the location of nodes is known prior to deployment. We will thus 
follow [20] by classifying WSNs as being either: 

1. Uncontrolled if the location of sensors cannot be predicted before de- 
ployment. This is the default WSN scenario and assumes that the 
application environment is sufficiently hostile that nodes cannot be 
positioned in any controlled way. For example, they may be released 
from the air over a disaster site. 

2. Partially controlled if some information about the location of sensors 
is known before deployment. This might be the case when sensors are 
strategically released from the air in batches. 

3. Fully controlled if the precise location of sensors is known before de- 
ployment. This is likely to be the case, for example, when sensors are 
deployed in a grid in a vineyard to monitor ground humidity. 

We will generally assume that a WSN is uncontrolled, however we will dis- 
cuss KPSs for other types of WSN in Sect. [7J 

There has been some debate about the practicality of using public key 
cryptography to implement security services in a WSN [18J. While this 
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may indeed become more practical (and where it is, some aspects of key es- 
tablishment may become easier), the case for designing solutions that only 
use symmetric cryptography remains strong. Symmetric cryptography is 
still preferred in many modern applications which are not as resource con- 
strained as WSNs because of the efficiency gains and the unique problems 
posed by management of public keys. Perhaps more compellingly, it is likely 
that as soon as public key cryptography is practical on a given sensor node 
technology, even more constrained sensor technology will be being developed 
where it is not. In this paper we assume that a fully symmetric solution is 
required. 

3 Combinatorial Designs 

In this section we briefly review some definitions and notation that we will 
employ later. We refer the reader to the combinatorial literature for further 
details [12]. 

A set system (I, B) consists of a set X of v elements (points) and a 
collection B of subsets (blocks) of X. The degree of x G X is the number of 
blocks of B containing x and (X, B) is regular if all points have the same 
degree r. The rank k of (X, B) is the size of the largest block in B and we 
say that (X, B) is uniform, if all blocks have size k. 

A regular, uniform set system with |X| = v, \B\ = b is known as a 
(v,b,r,k)- design. In such designs it must be the case that bk = vr. A 
(v, b, r, fc)-design in which every t points occurs on precisely A blocks is known 
as a t-(v,b,r, k, \)-design (we often just refer to a t-(v, k, X)-design since b 
and r can then be uniquely derived). In a dual design, the roles of points 
and blocks are interchanged. Symmetric designs are self-dual and thus have 
v = b, k = r and every t blocks meeting in A points. A symmetric 2- 
(s 2 + s + l,s 2 -|-s-|-l,s-|-l,s-|-l, l)-design is known as a projective plane. 

A set system is a group-divisible design GD(n u ,k) if v = nu and there 
exists a partition TL of X into u groups of size n such that: 

1. Every H G TL intersects a block B € B in at most one point; 

2. Every pair of points from different groups occur together in precisely 
one block. 

A transversal design TT)(k,n) is a GD(n fc , k) (in this case every H £ TL 
intersects a block B € B in precisely one point). A TD(i, k,n) is a further 
generalisation where the second condition is applied to sets of t points, rather 
than pairs. A TD(k, n) is resolvable if the blocks can be partitioned into sets 
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Bi, B2, ■ ■ ■ , B s such that each point of the design is contained in exactly one 
block in each set. These sets are known as parallel classes. 

A graph Q = (X, £ ) consists of a set of of vertices I joined by edges in 
£, where £ C Z x I. We say that a pair of vertices U and V are adjacent if 
{U, V} € £. The degree of a vertex U is the number of vertices adjacent to 
U. A graph is regular of degree r if all vertices have degree r. A complete 
t-partite graph is a graph whose vertices can be partitioned into t disjoint 
subsets such that two vertices are adjacent if and only if they belong to 
distinct subsets. An (n, r, A, jx)- strongly regular graph is a regular graph on 
n vertices with degree r such that any two distinct vertices have A common 
neighbours if they are adjacent and [i common neighbours if they are not 
adjacent. 

4 Key Predistribution Schemes for WSNs 

In this section we provide an introduction to key predistribution for WSNs. 
4.1 Key Predistribution Stages 

The lack of any central control nodes in a WSN means that in order to 
equip sensor nodes with symmetric keys, a KMA will need to load keys 
onto nodes prior to deployment using a KPS to determine which keys are 
allocated to which nodes. After deployment, two nodes will be able to use 
a cryptographic service on a network link (such as encryption or a MAC) if 
they: 

1. are in radio communication range of one another; and 

2. share at least one key. 

If either of these conditions is not met then the nodes will have to seek a 
path of network links connecting them such that these conditions are met 
on each of the intermediate hops. Key establishment in a WSN can thus be 
regarded as consisting of the following three stages: 

1. Key predistribution. The KMA chooses a KPS defined on the n nodes 
U = {U\, . . . , U n } in the network. Following [16], this KPS can de 
modelled by a set system (Z, B) (sometimes referred to as a key ring), 
where I = {xi : 1 < i < v} is a set of v key identifiers and B = {Bj : 
1 < j < n} is a set of n node allocations. For each key identifier Xi, 
the KMA randomly selects a key K{. The KMA then associates each 
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node Uj in the network with a node allocation Bj and issues Uj with 
the keys Lj = \K{ : Xi G Bj}. Note that the association of Uj with 
Bj need not be a secret, however the instantiation of Bj by Lj must 
be. 

2. Shared key discovery. If two nodes within communication range of 
one another wish to deploy a cryptographic service, they first need to 
determine if they have any keys in common. The default method is 
to broadcast their node allocations to one another, but more efficient 
techniques can sometimes be found. If they have key identifiers in 
common then a session key can be generated from the common keys 
associated with these identifiers by means of a suitable key derivation 
function. 

3. Path-key establishment. If two nodes fail to identify common keys dur- 
ing shared key discovery then they need to find a secure path between 
one another that employs intermediate nodes which can. Obviously, 
the shorter this secure path the better. 

4.2 Requirements 

The main challenge in designing a KPS that is suitable for this type of 
environment is that a balance must be sought between competing, and to 
an extent contradictory, requirements: 

• Storage. Nodes are memory constrained and thus the number of keys 
stored on each node should be kept as low as possible. 

• Connectivity. A WSN is dynamic and communication is expensive, 
thus each node should store sufficient keys that secure paths through 
the network can be established when needed. There are various dif- 
ferent measures for connectivity that could be applied in the context 
of WSNs. Measures of global connectivity assess the connectivity of 
the entire network as a whole. If the node allocations for any two 
nodes have non-empty intersection then we will refer to the network 
as having full connectivity. Measures of local connectivity, which as- 
sess the ability of nodes to form secure paths with nodes in their close 
neighbourhood are probably most appropriate. One such, from |14| . 
is the probability that Ui and Uj have at least one key in common 
(i.e. Bi n Bj ^ 0). This notion can be generalised to measure local 
connectivity with respect to secure paths of two hops or more. 
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• Resilience. Nodes are vulnerable to compromise, thus keys should 
be distributed in such a way that the damage caused by exposure 
of the keys stored on a node is controlled. It is not clear what the 
"right" measure of resilience is in a WSN. One suggested measure 
used in (T5] is fail(s), which is the probability that a link between two 
noncompromised nodes Ui and Uj is affected after s other nodes S are 
compromised at random, where a link is affected if Bi fl Bj ^ and 
Bi n Bj C U;y fcgl sl?fc. Another measure proposed in [27] evaluates the 
probability that compromise of s nodes exposes all the keys from at 
least one different (not compromised) node allocation. 

• Efficiency. There are several processes involved in key establishment 
for a WSN that it may be desirable to make as efficient as possible 
since nodes are constrained by limited battery power. These include 
computation, shared key discovery and path-key establishment. We 
will be considering the first two, but note that path-key establishment 
generally involves consideration of routing algorithms in WSNs, which 
is out of scope for our discussion. 

• Network size. Since many applications of WSNs involve large numbers 
of nodes, it is important that a KPS can support a large number of 
nodes. 

The main challenge in designing KPSs is that several of these requirements 
tend to compete with one another. For example, increasing the maximum 
number of nodes that can be supported often involves increasing the storage 
at each node. Also, many KPSs trade off measures of connectivity against 
resilience. 

4.3 Baseline Schemes 

There are several important baseline KPSs. Although these are not all 
designed for WSNs, they provide benchmark schemes that can also be used 
to illustrate the requirements tradeoffs. 

Single Key KPS This KPS consists of a single key that is stored by each 
node in the network. It provides optimal connectivity and storage, but 
has very poor resilience since all communication links are affected by 
a single node capture. 
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Complete Pairwise Key KPS In this KPS, a unique key is assigned to 
each pair of nodes. This scheme has optimal connectivity and opti- 
mal resilience, since compromise of one node does not affect any pair 
of non-compromised nodes. However this KPS requires each node to 
store n — 1 keys, which is infeasible if n is large (which will be the case 
in many WSNs). 

Blom's KPS [5, 6] This scheme uses a symmetric bivariate polynomial 
over a finite field GF(g), i.e. a polynomial P(x,y) £ GF(q)[x,y] with 
the property that P(i,j) = P{j,i) for all i,j £ GF(g). Node U{ stores 
the univariate polynomial fi{y) = P(Ui,y). In order to establish a 
common key with Uj, node Ui computes Kij = fi(Uj) = fj(U). This 
process enables any two nodes to share a common key. If P has degree 
w, then each share consists of a degree w univariate polynomial hence 
each node must store the w + 1 coefficients of this polynomial, which 
requires as much space as storing w + 1 keys. Blom's KPS thus has 
optimal connectivity and reasonable storage. It also has very simple 
shared key discovery, with two nodes simply needing to broadcast their 
identities to one another. With respect to resilience, an adversary who 
captures s nodes, where s < t, does not learn any information about 
keys established between non-compromised nodes. However an adver- 
sary who captures w + 1 or more nodes can interpolate the polynomial 
P and hence learn all the keys. 

Note that Blom's KPS does not strictly conform to the model in 
Sect. 14.11 since each user stores secret information that allows it to 
generate its node allocation rather than storing the separate key iden- 
tifiers. Thus it reduces storage at the cost of requiring computation in 
the form of polynomial evaluations each time a key identifier is estab- 
lished. 

Random KPS [13J This scheme is a probabilistic KPS, with each node 
drawing keys uniformly without replacement from some finite keypool 
K,. The properties of this scheme depend on the number of keys drawn 
and the size of K. In the basic scheme any two nodes can communicate 
securely if they share at least one key. The basic scheme was further 
parameterised in |llj . where an additional threshold parameter was 
introduced so that two nodes are required to have at least a threshold 
number of keys in common before they can derive a key. 
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These baseline KPSs provide suitable motivation for several observations 
concerning the building of KPSs for WSNs: 

1. Optimal connectivity is not necessary. Optimal connectivity is a nice 
feature, but unnecessary in a KPS for a WSN. It is certainly not needed 
in fully controlled WSNs. However, even in uncontrolled WSNs, since 
only a minority of sensor nodes will be within communication range of 
one another, the "costs" of optimal connectivity might not be worth 
paying. 

2. Deterministic schemes have some advantages. The obvious advantage 
of deterministic KPSs is that we can generally make definitive state- 
ments about their properties, which aids analysis. The example of 
Blom's KPS also illustrates that in deterministic schemes it may be 
possible to have very efficient shared key discovery. Lee and Stinson 
[14] also point out that deterministic schemes tend to involve fewer 
expensive pseudorandom computations during the key predistribution 
stage. In |25j it was argued that in certain cases probabilistic solu- 
tions tend to converge to deterministic schemes, thus studying the 
latter provides valuable insight. 

3. Flexibility is attractive. An attractive feature of the random KPS is 
that it is highly configurable with respect to the competing require- 
ments. Blom's KPS, for example, allows only minor tradeoffs to be 
made between storage and resilience. 

4. Compromise is desirable. It is unlikely that a WSN application will 
want the extreme tradeoffs seen in the case of the single and com- 
plete pairwise KPS. Even Blom's KPS is probably not enough of a 
compromise, with low storage coming at the cost of low resilience and 
computation requirements. Thus even if a KPS cannot offer flexibil- 
ity, it is desirable that it offers a "reasonable" compromise between 
the competing requirements of Sect. 14.21 

There have been a large number of proposals for KPSs for WSNs. These tend 
to either be variants of the random KPS, deterministic KPSs, proposals for 
combining schemes or KPSs with special properties. There are also several 
surveys [8l l20ll3l] . each of which takes a slightly different approach. We will 
now focus primarily on proposals that utilise combinatorial designs. 
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5 Direct Application of Designs 



Combinatorial designs are very natural objects to consider as candidate key 
rings for KPSs. They have the advantages of being deterministic and having 
rich and well understood structure. Indeed, they have been associated with 
the building of KPSs long before the emergence of WSNs [23J. In this 
section we consider the direct application of (v, b, r, /c)-designs as key rings 
for a KPS. 

5.1 Two Interesting Classes 

The basic definition of a (v, b, r, fc)-design is too general to guarantee any 
interesting connectivity or resilience properties of the resulting KPSs. We 
first identify two potentially interesting classes of designs. 

5.1.1 Prioritising local connectivity: 

Our first class of designs are explicitly constructed for their local connectivity 
properties. It was shown in [15] that any block in a (v, b, r, fe)-design meets 
(has a non-empty intersection) with at most k(r — 1) other blocks. Further, 
every block meets k(r — l) blocks precisely when the design has the property 
that any two blocks meet in at most one point, in which case the design 
is known as a (v,b,r,k)- configuration. These (v, b, r, /^-configurations are 
of interest since if they are used as key rings, the KPSs based on them 
have optimal local connectivity [15]. Knowing that a design is a (v,b,r,k)- 
configuration does not, unfortunately, offer any immediate guarantees about 
its resilience. 

5.1.2 Prioritising resilience: 

A class of designs with built-in resilience properties are key distribution 
patterns. These were first proposed in |23t l24|. although we present a slightly 
more general definition here. 

Definition 5.1 A w-key distribution pattern (KDP) is a set system (I,B) 
with \B\ = n such that for any pair Bi, Bj € B with Bi n Bj ^ and any 
{B h ,...,B lw }CB\{B i ,B j } ; we have: 

Bi fl Bj £ (B h U---UB lw ). 

A w-KDP can be used as a key ring for a KPS and offers optimal resilience 
if no more than w nodes are compromised. A w-KDP is only a design if 
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it is also uniform and regular, which many known examples of KDPs are. 
However, Definition 15.11 does not provide any guarantees of connectivity. 

5.2 Fully Connected Designs 

An obvious class of designs to consider are those that offer full connectivity, 
which happens if every pair of blocks meet in at least one point. 

5.2.1 Fully connected configurations: 

It is shown in [15] that a (v,b, r, k) configuration is fully connected precisely 
when it is the dual of a 2 — (b, v, k, r, l)-design. It is further shown in [15] 
that when this happens, b < k(k — 1) + 1. Since b represents the number 
of nodes in a WSN, and this is likely to be large, it is clear that this latter 
bound is one that we would like to meet, if at all possible. Fortunately there 
is an infinite class of configurations with this property, namely the projective 
planes, which are 2 — (q 2 + q + 1, q 2 + q + 1, q + 1, q + 1, l)-designs. 

This means that if we wish to directly implement a configuration as 
a key ring in order to obtain a fully connected KPS with other desirable 
properties then there is really only one candidate family worth considering, 
the projective planes. Not only do they have optimal local connectivity, but 
amongst other advantages they have efficient shared key discovery [25] . They 
were first proposed as key rings by [7]. However the significant "catch" with 
using a projective plane is the restriction on the number of nodes relative 
to the size of the node allocation. This means that facilitating a very large 
number of nodes comes at the unattractive cost of relatively large key storage 
for each node (in this case each node allocation contains k identifers, where 
k is approximately the square root of the maximum number nodes). 

5.2.2 Fully connected KDPs: 

The original concept of a KDP, as proposed in [231 124j . was for fully con- 
nected KDPs. In this KDP, by definition, has every pair of blocks 
meeting in at least one point. In [29] structures of this type are known 
as (2, w)-KDPs. Several constructions of uniform and regular (2, w)-KDPs 
are known. In [281 123] it is shown that a 3-(v,k,X) -design with w < 
(v - 2)/(k - 2) is the dual of a (2,it;)-KDP. In [M] it is shown that every 
t — (v, b, r, k, A)-design is a (2, t — 2)-KDP and every symmetric 2 — (v, k, 2)- 
design (biplane) is a (2, 1)-KDP. We also observe that the complete pairwise 
KPS is a uniform, regular (2, n — 2)-KDP (as well as being a configuration). 
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5.2.3 Dual designs: 

By definition, the dual of a 2 — (v, b, r, k, A)-design is fully connected, since 
every pair of blocks meet in A points. A special subclass are the symmetric 
designs, examples of which are the projective planes and the biplanes. In [27] 
symmetric partially balanced designs were proposed as key rings, however 
they share the problems of projective planes in being highly constrained in 
terms of the number of nodes they can support. 

5.2.4 Comment: 

In general, fully connected designs are unsuitable for direct application as 
KPSs for WSNs. Full connectivity places too many constraints on the pa- 
rameters. The main resulting problems are: 

• Lack of flexibility: While there are a number of constructions, they 
leave little room for flexibility of tradeoff between the important pa- 
rameters. 

• Restrictions on number of nodes: The tradeoff between number of 
nodes and storage tends to be unsatisfactory, with reasonable storage 
limitations leading to too tight a restriction on the maximum number 
of nodes. 

• Too much to the extreme: Full connectivity provides better connectiv- 
ity than we typically need for a WSN. The cost in terms of storage 
and resiliency is too high to be worth paying for most WSNs. 

Nonetheless, direct application of designs in this way provides more baseline 
KPSs with special properties for comparison, as well as being potentially 
useful components in more complex constructions. 

5.3 Designs Without Full Connectivity 

Given that full connectivity is not necessary for a KPS for a WSN, it is worth 
considering direct application of designs that do not have full connectivity. 
In such designs there will be blocks that do not intersect. This means that 
there will be pairs of nodes who do not share a key in the resulting KPS. 
In the first instance it seems wise to consider configurations, since these at 
least offer optimal local connectivity. 
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5.3.1 Generalised Quadrangles: 

In [7] the use of generalised quadrangles as WSN key rings was considered. 
A GQ(s,i) is a (v, b, t + l,s + 1) -design, where v = (s + l)(st + 1), b = 
(t+l)(st+l), two points lie on at most one block, two blocks meet in at most 
one point, and a further property that outlaws the occurrence of "triangles" 
holds. A GQ(s,t) is thus a configuration and hence offers optimal local 
connectivity. In [7] several GQ(s,i)s were shown to enable KPSs with good 
resilience compared to the random KPS. 

5.3.2 Common Intersection Designs: 

The idea behind the use of GQ(s,i)'s as key rings was generalised in |15j : 

Definition 5.2 Let (I,B) be a (v,b,r,k)- configuration. We say that (I,B) 
is a (v, b, r, k, fj)-common intersection design ( CID) if for any distinct pair of 
blocks B i} Bj E B we have: \{B k € B : BiC\B k ^$ and Bj n B k ^ 0}| > fi. 

Thus any key ring based on a CID provides the guarantee that if two nodes 
do not share a key, there will be at least fj, nodes who could act as inter- 
mediaries in a secure two-hop path between the original nodes. From a 
connectivity perspective it is desirable for \i to be as large as possible since 
this increases the chance that one of these intermediary nodes is within 
communication range. Several upper bounds on fi were established in [T7] 
and optimal CIDs were constructed using group-divisible designs, strongly- 
regular graphs and generalized quadrangles. 

5.3.3 Transversal Designs: 

A useful class of CIDs is provided by the transversal designs, since a TD(A;, n) 
is a (kn,n 2 ,n,k,k 2 — A;)-CID. In [15] a particularly useful construction of 
TD(A;,n)s that exist for any prime k <n was used to construct CIDs. The 
resulting key rings, termed linear schemes in [T3] have several interesting 
properties: 

• The values of k and n can be varied to produce key rings with a range 
of compromises between the storage k, maximum number of nodes n 2 , 
local connectivity k(n + 1) and resilience. 

• Local connectivity and resilience can be computed using formulae that 
were derived in [14j . 

• They have a very efficient shared-key discovery phase, which involves 
two nodes exchanging identifiers and making a simple computation. 
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5.3.4 Generalised Transversal Designs: 

An example of a class of designs that do not offer full connectivity and are 
not configurations are the generalised transversal designs TD(£, k,n). For 
example, a block in a TD(3,fc, n) intersects other blocks in either 0, 1 or 
2 points, hence is not a configuration. In [TJ] TD(3, k, n)s were used to 
construct key rings based on a requirement that a pair of nodes shares two 
keys before they can derive a session key. The performance of these so-called 
quadratic schemes was analysed in p3] and shown to offer some interesting 
tradeoffs. For example, they offered better resilience than linear schemes 
for low levels of compromised nodes, while providing similar levels of local 
connectivity. 

5.3.5 Trivial KDPs: 

Let Q be a connected graph on n vertices with no loops or multiple edges. 
Associate a vertex with node Uj, assign a unique key identifier x\ to each 
edge, and define node allocation Bj to be the the set of edges (key identifiers) 
adjacent to Uj. The result is an (n — 2)-KDP, which offers the maximum 
possible resilience. This is an example of a trivial inclusion-KDP [19J. The 
advantage of designing KPSs in this way is that Q can be analysed for con- 
nectivity and path-length properties. Trivial KDPs are (v, b, 2, k) -designs 
when Q is regular of degree k. 

In [16] it was pointed out that one class arise from strongly regular 
graphs, since these graphs offer a guaranteed number of possible two-hop 
paths between any disconnected nodes. The cost associated with a trivial 
KDP is that in order to get good levels of connectivity the graph typically 
needs to be "dense" with edges, which means that the storage for each user 
tends to be on the high side. The IOS KPSs in [16] employ a trick for 
reducing this storage which works if Q is a connected regular graph whose 
vertices have even degree. This comes at a small computational cost, as well 
as the security cost of relying on a hash function. 

5.3.6 Comment: 

Designs without full connectivity are certainly more promising for design- 
ing KPSs for WSNs. The main advantage over fully connected designs is 
increased room for flexibility. The local connectivity levels can be traded off 
against other parameters, particularly resilience. This increased relaxation 
of parameters also tends to facilitate an increase in the maximum num- 
ber of nodes that can be supported given a particular storage constraint. 
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Nonetheless, a number of problems remain: 

• Lack of flexibility: While flexibility is generally better than for fully 
connected designs, it is still severely constrained by the combinatorial 
requirements. 

• Restrictions on number of nodes: Despite an improvement, there is 
still a limit to the number of nodes that can be supported, again due 
to the combinatorial constraints. 

Direct application of designs without full connectivity thus provides another 
interesting collection of KPSs. It should be noted however that in compari- 
son to fully connected designs, these designs have not been so much studied 
and so useful constructions may have not yet been discovered. While their 
direct applicability is limited, they again provide excellent components for 
building more complex KPSs. 

5.4 On Direct Application of Designs 

The rich mathematical structure of combinatorial designs makes them suit- 
able for building KPSs with particular properties. However most interesting 
classes of design probably offer too much structure. Some designs offer "all 
or nothing" guarantees of properties, when a more gradual curve would be 
preferable. An example of this is w-KDPs (for small w), whose resilience 
guarantees are no longer offered when more than w nodes are compromised. 
Designs are also uniform and regular by definition, although there is no 
strict need for these properties in a KPS. The main problem however is that 
straight application of designs tends not to provide enough flexibility to gen- 
erate a wide range of KPSs suitable for different application requirements. 

6 Designs as a Building Block 

Although combinatorial designs are not always suitable for direct application 
as KPSs for WSNs, they are very natural objects to use as components in 
the construction of a KPS. The resulting KPSs can hopefully be made more 
flexible, while still inheriting the advantages of designs that were outlined 
at the start of Sect. El Another way of looking at this is to start with a 
KPS based on direct application of a design and consider in what ways we 
could transform the original scheme in order to "get more for our money". 
We now consider a number of different techniques. 
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6.1 Splitting a KPS 

One way of modifying a KPS is to split nodes, by associating each node 
in the original KPS with a set of nodes in a new KPS. The new scheme 
essentially consists of I versions of the original KPS. The main gain here is 
that this allows an /-fold increase in the number of possible nodes in the 
network compared to the original scheme. 

The simplest technique is to essentially create I "mirror copies" of the 
original KPS, where each split node is assigned the same node allocation 
of keys as its parent node. For general applications, this might seem a 
strange thing to do since there will now be I nodes with exactly the same 
keys. However, for many applications of WSNs, particularly those where the 
main required security service is confidentiality with respect to non-members 
of the network, this may well be quite acceptable. 

The other extreme is to associate each version of the original KPS with 
a disjoint set of key identifiers. This will result in a significant reduction in 
the connectivity, since only nodes associated with a particular version will 
share keys. Partially overlapping sets of key identifiers will allow tradeoff 
between these two extremes. 

The Multiple IOS KPSs in [16] used this idea of splitting to increase the 
maximum network size of the IOS KPS (see Sect. 15.3]) . Since they are slightly 
different from our standard notion of a key rings (as defined in Sect. I4.1j) . 
the cost of splitting is different (in this case it is a loss of resilience). 

6.2 Extending a KPS 

As noted in Sect. \5\ one of the main problems with straight application of a 
combinatorial design as a KPS is the restriction on the maximum number 
of nodes. One technique for overcoming this is to generate a KPS based 
on a combinatorial design and then extend it by appending additional node 
allocations that are not part of the original scheme. 

This technique was used in [7j to extend KPSs based on projective planes 
and generalized quadrangles. In order to enforce a degree of separation be- 
tween the appended node allocations and the originals, the new node alloca- 
tions were selected as random subsets of blocks of the complementary design 
(whose blocks are the complements of the blocks of the original design) . The 
resulting KPSs were analysed in [7] and shown to have better connectivity 
than a random KPS, while allowing a greater number of nodes and increased 
resilience in comparison to the underlying design-based KPSs. 

Another possibility is to combine the node allocations of two different 
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KPSs. This approach was taken in [27], where two KPSs arising from direct 
application of two partially balanced designs were combined. The resulting 
KPS remained fully connected, while the resiliency of the new scheme was 
slightly poorer than those of the original KPSs. 

6.3 Packing a KPS 

Another option is to increase the size of node allocations by adding key 
identifiers (packing). By packing the key identifiers more densely, we can 
expect better connectivity properties at an expected cost to resilience. 

We saw in Sect. l5.3l that some combinatorial designs without full connec- 
tivity have attractive properties for adoption as key rings. However, such 
designs often have low inherent connectivity. In [9] two packing strategies 
were tested in an attempt to increase the connectivity of the linear KPSs 
based on transversal designs. Both strategies involved merging KPS node 
allocations. The first strategy was random, whereas the second was deter- 
ministic. The results indeed indicate a small increase in connectivity at a 
small cost to resilience. 

6.4 Breaking up a KPS 

An alternative to making a KPS "bigger" through extending or packing is to 
break it up in various ways. Two initial suggestions for creating potentially 
interesting tradeoffs are: 

• Contracting a KPS: By removing key identifiers, either throughout 
the KPS or just on certain nodes, storage could be reduced at a cost 
to connectivity. 

• Block splitting: By splitting node allocations (for example creating two 
smaller node allocations from each original node allocation by dividing 
it in two) the maximum network size could be increased and storage 
reduced, again at a cost to connectivity. 

To our knowledge, the full benefits of these strategies as techniques for 
building KPSs with interesting properties have not yet been fully explored. 

6.5 Modifying a KPS 

Designs can be used to make structural modifications to an existing KPS. 
An interesting example of this is the Modified Blom KPS |16j . The Blom 
KPS, defined in Sect. 14.31 is a fully connected KPS based on a symmetric 
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polynomial of degree w. In the Modified Blom KPS, we first define a com- 
plete bipartite graph on the set of nodes, which splits the nodes into two 
classes U\ and U2- We now establish a "Blom KPS" using an asymmetric 
polynomial (see [16] for details), which results in only pairs of nodes from 
distinct classes directly being able to establish a key. Nodes from the same 
class are required to establish a two-hop path via a node in the other class. 
This loss of connectivity comes at a gain in resilience, since an attacker now 
needs to compromise w nodes from one of the classes before the KPS is 
completely broken. 

6.6 Joining KPSs 

A more sophisticated use of KPSs as building blocks is to join many copies 
of a KPS together. Of course, we need a "rule" to determine how the 
integration is done. A natural source of such a rule is another KPS, perhaps 
with quite different properties. The intention is that the resulting KPS will 
mix the inherent properties of the component schemes. 

6.6.1 Product KPS: 

In such schemes an inner KPS and an outer set system (X, B ont ) are inte- 
grated in the following way: 

1. The outer set system provides the core structure. Each node Uj is 
associated with the block Bj nt . 

2. Each key identifier X{ in the set system defines a subset of nodes Ni = 
{Uj : Xi € B° nt }. An inner KPS is then defined on the nodes iVj. In 
this KPS, each node Uj G iVj receives the node allocation B^~ l . 

3. Only the node allocations of the inner KPSs are used in the final KPS. 
Hence each node Uj receives the final node allocation 

Hence each node in the product KPS receives a final node allocation that 
consists of several inner KPS node allocations, one for each key identifier in 
the block associated with the node in the outer set system. 

Note that while we have defined the Product KPS in terms of inner 
KPSs based on a key ring, there is no reason why other KPSs cannot be 
used. Indeed the low storage of the Blom KPS, which derives its key ring 
rather than storing it explicitly is an attractive candidate for the inner KPS, 
as will see in some of the following instantiations of this generic scheme. 
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6.6.2 Wei-Wu Product schemes: 

In [3D] a general analysis of the Product KPS was conducted. It was shown 
that if the block size is fixed then the best resilience can be obtained if the 
outer set system is a design. Several constructions were proposed that used 
Blom KPSs as the inner KPS and used designs based on difference sets as 
the outer set system. 

6.6.3 Multiple Space Blom scheme: 

In [14] a product KPS was proposed where the outer set system is a linear 
KPS (see Sect. I5.3P and the inner KPSs are Blom KPSs. The resulting 
KPS was shown to have a different resilience curve compared to a linear 
scheme (better resilience for small numbers of compromised nodes) at the 
cost of some computation in order to establish keys. The efficient shared-key 
discovery property of both components is preserved. 

6.6.4 Multiple Space Modified Blom scheme: 

In [16] a product KPS was proposed where the outer set system consists of 
a trivial KDP based on a strongly regular graph that has been split into 
I identical copies (as in Sect. I6.ip and the inner KPSs are Modified Blom 
KPSs. The Modified Blom KPSs were applied using the natural partition 
defined by the two classes of split nodes adjacent to each edge in the strongly 
regular graph. The resulting scheme was shown to have a different resilience 
curve compared to deploying a Modified Blom KPS across all nodes. 

6.6.5 Park-Blake schemes: 

In [25] complete subgraphs of two strongly regular graphs (the triangular 
graph and lattice graph) were used to define outer set systems. It was shown 
that if projective planes are used as the inner KPSs then the new schemes 
allow a greatly increased network size while still gaining from the efficient 
shared key discovery of the projective plane. Clearly these constructions 
also lend themselves to use of Blom schemes as the inner KPSs. 

6.6.6 Scope for Joining KPSs: 

Joining KPSs seems to be an interesting way of generating KPSs with dif- 
ferent parameter tradeoffs. There seems to be plenty of scope for further 
exploring effective ways of combining KPSs, as most of the existing work has 
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focussed on instantiations of the Product KPS and employed Blom's KPS 
as the inner KPSs. 

6.7 The Pros and Cons of Combinatorial Engineering 

In Sect. [5]we saw that direct application of combinatorial designs is generally 
too restrictive to produce KPSs that are suitable for WSNs. In this section 
we have discussed a number of different techniques for using KPSs based 
on designs as building blocks. There is no reason why these techniques 
could not be used to combine deterministic KPSs based on designs with 
probabilistic random KPSs. 

With the exception of layered KPSs, this "combinatorial engineering" is 
not a normal study area for pure mathematicians and hence little theory 
on the subject exists. Indeed, for many of the techniques, the underlying 
combinatorial structure is sufficiently destroyed that the resulting properties 
can only be determined by simulations. 

It might be felt that combinatorial engineering is self-defeating in that 
many of the advantages of using combinatorial designs may be lost, espe- 
cially if they are combined with probabilistic KPSs. However it would seem 
that some combinatorics can be better than no combinatorics, since the 
properties of the underlying design-based KPS in most cases still provides 
some structural guarantees. It is also important to keep in mind the obser- 
vations made in Sect. 14.31 and 15.41 which indicate that KPSs for WSNs are 
not by definition classical combinatorial objects and thus lend themselves to 
this type of manipulation. 

7 Designs for Special Networking Environments 

In this section we examine the application of combinatorial designs to KPSs 
that do not fully conform to the application environment of uncontrolled 
homogeneous nodes that we have discussed thus far. 

7.1 Partially Controlled KPSs 

The KPSs that we have discussed thus far are all uncontrolled (see Sect. [2]) 
with respect to their final location. If we are able to have partial control 
over the location of nodes then this knowledge can be very useful in building 
a suitable KPS. 

An example of partial control occurs in networks in which nodes are 
deployed in groups in such a way that nodes from a group are deployed 
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closer together on average than nodes from different groups. This group 
deployment might arise, for example, if nodes are deployed in batches from 
an aeroplane. It would be reasonable to expect nodes from one group to then 
be physically located closer to one another than nodes from different groups. 
As a result, keys can be predistributed more efficiently if this knowledge is 
taken into account. 

A possible paradigm is to assign node allocations to each group using 
a KPS defined only on that group. This KPS could be more "relaxed" 
with respect to connectivity than an uncontrolled KPS. We then need to 
build in some means for nodes from different groups to establish common 
keys. However it is also important to avoid communication bottlenecks, or 
the risk that an entire group could become disconnected from the rest of 
the network, so it is desirable to ensure that the probability of nodes from 
different groups being able to communicate securely is similar to that of 
nodes from within a group. This property was referred to as balanced local 
connectivity in |21j . 

The inherent structure required for group deployment of a KPS that has 
balanced local connectivity lends itself naturally to use of a combinatorial 
structure. In [21] such a KPS was proposed that utilises the structure of a re- 
solvable transversal design TD(/c, m). The m parallel classes P\, P2, ■ ■ ■ , P m 
of blocks of this design are further partitioned into sets of parallel classes 
Si, S2, ■ ■ ■ , Sp, each containing m/fi blocks. Nodes in group Gi are associ- 
ated with the blocks in parallel classes contained in Si- The proposed KPS 
is based on the Multiple Space Blom scheme of Sect. 16.61 with the outer 
KPS being a based on the resolvable TD(/c,m). However in this KPS there 
are two inner KPSs: 

1. As in the Multiple Space Blom scheme, for each key identifier Xi in 
the outer KPS, a Blom KPS is defined on the nodes iVj = {Uj : X{ € 

2. A further Blom KPS is defined on the set of nodes M» = {Uj : B? ut £ 

The analysis of the resulting KPS in [21] shows that it offers good balanced 
connectivity, while providing a flexible set of configurable parameters that 
allow connectivity and resilience to be traded off against storage costs. The 
KPS also inherits the efficient shared key discovery of the underlying outer 
KPS based on the transversal design. 
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7.2 Fully Controlled KPSs 

It is of significant advantage for key predistribution to know the precise 
deployment location of nodes, since this is even more useful than partial 
location information, as discussed above. It might seem that in such cases 
of fully controlled networks it suffices to issue a node with keys for each of its 
neighbours, since these are known in advance. However in dense networks 
this is an inefficient technique and there are much better options. 

If nodes are deployed in a highly structured physical formation then it 
again becomes natural to look to combinatorial mathematics for building 
KPSs. The case of KPSs for WSNs arranged in square and hexagonal grids 
has been investigated in [1] and [3]. Efficient KPSs were constructed using 
a special type of combinatorial structure called a distinct difference config- 
uration. While these are not combinatorial designs, the node assignments 
that they generate can be viewed as a type of infinite combinatorial design. 
Nonetheless, this example serves a warning that there are special networking 
environments where the "right" combinatorial structure for building efficient 
deterministic KPSs is not necessarily based on a conventional combinatorial 
design. 

7.3 KPSs for Heterogeneous Networks 

Although we restricted our previous discussion to homogeneous networks 
(see Sect. [2]) it is worth making some observations about heterogeneous net- 
works, where not all the nodes have the same capabilities. The most in- 
teresting class of heterogeneous network is probably hierarchical networks, 
where the nodes are partitioned into an ordered hierarchy, with nodes at 
a given level being more powerful than nodes at lower levels. The most 
common scenario is a simple two-level hierarchy. We now make a few obser- 
vations about the applicability of combinatorial designs to building KPSs 
for heterogeneous networks, and in particular two-level hierarchies. 

7.3.1 Simple two-level hierarchies: 

It is worth observing that many of the manipulations of KPSs discussed in 
Sect. [6] can result in KPSs that are suitable for simple two-level hierarchies, 
since the resulting node allocations have different sizes. For example: 

• A KPS could be partially packed (see Sect. 16. 3p using a strategy that 
results in node allocations of two different sizes, the original and the 
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packed. Nodes with packed node allocations will require greater stor- 
age capability. Further, as they hold more keys it is reasonable to 
expect them to be more likely to be involved in communication (both 
directly and as an intermediary). The resulting KPS is suited to ap- 
plications where there is a two-level hierarchy of sensors where there 
is a fairly small difference in capability 

• Similarly, if a KPS is extended (see Sect. 16. 2p by adding node alloca- 
tions of a different size to the original, then the resulting KPS will have 
similar properties to the previous case. For example, the extension to 
the projective plane discussed in [7] could involve choosing larger sub- 
sets of the complementary design, hence creating two classes of node 
allocations. 

7.3.2 Two-level hierarchies with a backbone: 

A more sophisticated class of two-level hierarchies are formed by networks 
where the top level of nodes form a fully connected backbone. Low level nodes 
are organised into subnetworks (sometime called clusters) which "hang off" 
this backbone and are each associated with a unique high level node. Two 
low level nodes from the same subnetwork can try to communicate directly. 
On the other hand, two low level nodes from different subnetworks have to 
communicate via their high level node representatives. The top level nodes 
thus need to be significantly more powerful than low level nodes, since they 
are used as communication intermediaries. It is thus also reasonable to 
assume that they have significantly increased storage capability. 

There are many different possible approaches to designing a two-level 
hierarchical KPS with a backbone. The fully connected backbone could 
be realised, for example, by any of the KPSs discussed in Sect. 17.21 The 
subnetworks could be instantiated by any KPS (based on a design, or oth- 
erwise). There has been a significant amount of general research on key 
management in two- level hierarchical networks but, with the exception of 
a simple framework proposed in [10], there has been very little analysis of 
how to build deterministic two-level KPSs. There seems to be plenty of 
scope for further examining exactly how best to choose both the backbone 
and subnetwork KPSs in order to achieve two-level hierarchical KPSs with 
interesting properties. In particular, intelligent application of design-based 
KPSs would seem quite likely to lead to useful constructions. 
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7.4 Comment 

We have seen in this section that combinatorial designs have had a role 
to play in building KPSs for WSNs that do not conform to the "classical" 
model of uncontrolled homogeneous nodes. They have found very natural 
application to group deployment of nodes, but are apparently less applicable 
to fully controlled deployment of nodes. What remains largely unexplored 
is their suitability to the design of deterministic heterogenous WSNs, and 
this merits further study. 

8 Concluding Remarks 

We have explored the use of combinatorial designs in building KPS for 
WSNs. While designs have been widely proposed for use in such schemes, to 
what extent are these schemes really useful? We argued that for WSNs full 
connectivity is not really necessary and that a key attribute of any KPS is 
flexibility to allow parameter tradeoffs. This tends to rule out many straight 
applications of designs as KPSs, although we have seen several examples of 
flexible families of designs, such as transversal designs, having several useful 
applications. However it certainly does not rule out designs either as build- 
ing blocks or components of KPSs. The unusual combinatorial engineering 
techniques that have seen the basic structure of a design manipulated in 
order to provide more flexible KPSs are certainly interesting and merit fur- 
ther study, although formal theoretical analysis of such techniques (as in 
many engineering processes) is not always possible. Combining KPSs based 
on designs has proved to be a very successful strategy for obtaining deter- 
ministic KPSs that trade off parameters, however again there would seem 
to be more work to do in fully understanding the best combination rules. 
Thus we would argue that combinatorial designs most definitely do have 
an important role to play in building KPSs for WSNs, but that their full 
potential is not yet fully understood. 
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